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Abstract 

We construct the first example of an efficient proof of knowledge protocol 
for demonstrating Solovay-Strasaen primality evidence on an integer being the 

product of two primes-of roughly equal sizes.-The computational cost of the new 

protocol is the same as that of performing six Solovay-Strassen pnmahty tests on 
jxon-aecrct numbers of comparable eiaes, with achieving the same error probability 
Of 2"* after k proof interactions. The new protocol also provides the first efficient 
proof of such integer struct ure without limiting to Blum integers. 

1 Introduction 

In public-key cryptography, an individual user's cryptographic key P^^Jf.JJj^ 
erated by the user himself. On the other hand, the user's public key should be certified 
by a known authority for authentication. The authority will naturally demand that a 
user-generated public/private key pair have a valid private component according to a 
set of agreed criteria. Zero-knowledge proof )B a powerful tool that allows a user to run a 
protocol with an authority, convincing the latter of the. structural validity of the private 
kev without the former disclosing it. For instance, the ISO standardization document 
9798 part 3 ([7]) recommends that public-key certification should include zero-knowledge 
proof for possession of the private component that matches the public key to be certified. 
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In this paper we propose a zero-knowledge protocol for proof of private-key structure 
for cryptosystems based on the difficulty of factoring (such as RSA). The structure is 
that an integer Is the product of two primes of (roughly) equal size. 

1.1 Background 

A number of authors [l, 2, 4, 6, S] proposed zero-knowledge, or proof-of-knowledge 
protocols for showing a general form of Blum integers rz = p r q* where p and q are two 
distinct primes satisfying p = q = 3 (mod 4) 3 r and s are integers. These protocols use 
the following number theoretic observation. An integer n has two different prime factors, 
including their powers, if and only if a quarter of the elements in the multiplicative group 
modulo n are quadratic residues, and n will have at least three different prime factors 
if no more than one-eighth of such elements are quadratic residues. A prover can thus 
prove n in general form of Blum integer by demonstrating that for a set of randomly 
chosen elements as challenges, (s)he can display square roots modulo n for a quarter of 
them. 

Boyar et al [3] proposed a zero-knowledge protocol for proof of square-free integers. 
An integer n is said to be square-free if there exists no factor p such that p 2 divides n. 
The working principle of that protocol is based on an observation that an integer n is 
square-free if and only if n is relatively prime to <£(") (Euler's phi function), and this 
allows a prover to be able to consistently display an rvth root modulo n of a random 
challenge which is relatively prime to n. 

If a general form of Blum integer is also square-free, then it must be the product of 
exactly two distinct primes (i.e., without containing their powers). 

A desirable RSA modulus should be a square-free integer consisting of two prime 
factors of roughly equal si^es. Thus and obviously, proof of knowledge on that an inte- 
ger is a desirable RSA modulus can go through applications of the previous techniques 
of proving a general form of Blum integer, proving square-free-ness, plus showing the 
Sixes of the two factors (e.g., the approach of [5]). However, such an approach of ap- 
plying several different proofs has two major disadvantages. First, it is inefficient. In 
particular we should notice that in square-root or nth-root displaying protocols, the 
proving/verification participants must agree on mutually trusted random challenges (or 
be served with such challenges by a mutually trusted random source). Otherwise, the 
prover can be used as an oracle to factor the integer under proof, and the verifier can be 
fooled easily. Therefore, in each of such protocols applied, some additional means, asso- 
ciated with additional costs, are necessary to let the two participants obtain mutually 
trusted random challenges (such costs were never discussed in the previous works (e.g., 
in [1, 2 ? 4, 6, 8, 5]). Secondly, for generality in applications and economy in choosing 
primes,' RSA moduli should not be confined to Blum integers (even though some proto- 
cols require use of such integers). Efficient proof of knowledge on desirable RSA moduli 
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without limiting to Blum integers will also have a value in pursuit of new knowledge^ 
this paper we propose a proof of knowledge protocol to achieve exactly just that. The 
protocol shows the primality evidence using a variation of Solovay-Strassen Penality 
Lt technique [9], at the same time shows the sizes of the factors almost at no additional 
cost Compared with the previous approaches of applying several dxfferent proofs, the 
new protocol not only puts no constraint on the form of the prime factors (though they 
Bhould he odd), but also reaches a new low in computational cost: the same as that 
of performing six Solovay-Strassen primality tests on non-secret integers of size of n. 
The error probability of the protocol is the same as that of Solovay-Strassen pnmahty 
test 2' fc after k interactions. Because Solovay-Strassen primality test is very efficient, 
and because there is no need to generate or agree on mutually trusted challenges it is 
our belief that the new protocol reaches the best performance in comparison with the 
previous techniques for demonstration of primality in a proof-of-knowledge manner. 

In the remainder of the paper, we describe the new protocol in Section 2, analyze its 
security and performance in Section 3, and conclude in Section 4. 

2 Showing Knowledge of Solovay-Strassen Primality 

2.1 . Notations 

For a positive integer J», let 2£ denote the multiplicative group of elements modulo P- 
-For- set 5, we write \S\ for the number of elements in 5. For integers a and b ^wnte 
a I & if a divides b, (a, t>) for the greatest common divisor of a and b, {*) for the Jacooi 
symbol of a modulo b, and write /(a) to denote the size of a, which is the number of 
the binary bits that a has. For x being a real number, |*J denotes the mtcger part of x 
(for instance, *(o) = Llofe(o)J +.1). For a € Z' P) we write Ord^a) to denote the order 
of a modulo P. . 

We shall make use of double exponentiation. Let g be an element of order n, h be 
an element in 2T n , and * < ». By double exponentiation of * to the tases h and g we 

TOCan <h" mod r») 



2.2 Assumptions and Proof System Setup 

We assume that it is computationally infeasible to compute discrete logarithm m the 
group generated by g. This assumption is reasonable if the group order n is sufficiently 
large and 18 non-smooth. 

Let Alice be a prover and Bob be a verifier. AJice lias corrected an RSA ^duhis 
« = pq satisfying that p and q axe different odd primes with £(p) = t{q) or £[p) = *(fl±l. 
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(We stall later see that our technique can accommodate a suitably bigger size difference 
if that is desirable.) 

She shall then help Bob to setup a multiplicative group of order n. For her part of 
the setting-up, she only needs to generate a prime P^.thn\P- 1. This prime can be 
constructed by testing the primality of P - a**-r 1 for some even integer a. Once P * 
found prime, she shall send the numbers n and P to Bob. 

Upon receipt of n and P, Bob should test the primality of P, check that n is not a 
squa£ number, and use trial-division to make sure that « does not have small factors 
less than 100 Upon passing of these simple tests, he shall fix an element g in Z P using 
the following "procedure". Randomly choose an element fi less than P; test that for every 
7\ a (=(P - l)/»), and for d = n: 0* $ 1 (mod P). Upon finding 0 satisfying these, g 
is _set to 

g = 0 a mod P- 

By the prime number theorem, a (= (P- l)/f») is within the scope of Wf)- So it will 
be computationally easy for Bob to completely factor o- and therefore use the procedure 
to find g. 

Lemma 1 Without the knowledge of ifce factorization of n, the element g ^ ch J^^ d 
using the above procedure satisfies Ord P {g) = n with an error probability *%i*r • 
Proof Since g n = 1 ( mod P), we knowOr^^) | n. We also know that for any d 1^-1, 
the cyclic group Zj, has exactly tf(rf) elements" of order d. So without the knowledge of 
the factorization of n, there will only be a 

XL 

d\n><£fin 

p-i 

-probability for Bob to pick a g of order less than n. a 
This probability is negligible as it is comparable to that of factoring n via trial 
division. 

Bob shall send g to Alice. She shall set 

A = g p mod P, B — g" mod P. 

Alice then sends A,B to Bob. The values g,A,B,n,P will be used as the common 
input to a protocol for proof that log, (A) and logoff) are in fact the two different 
prime factors of n. 

2.3 The Protocol 

The protocol Two_Prime_Product specified below demonstrates that the non-square num- 
ber n is the product of two different odd primes of roughly equal sizes. For clearness, 
we shall omit the trailing operation mod P in the presentation. 
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TwoJ^rime-ProductC g 9 A,B,n 9 P ) 
Repeat the following steps k times 

1. Bob picks heZ* at random, with (£) = -1. and sends it to Alice: 

2. Alice picks u,v at random, satisfying 

£{u) = KiP ~ l)/2). = ~ D/ 2 )' 

and sets 

A v +- A 2v 9 Bu t- 

Alice sends to Bob: G v . ^v, ^i/j ^tr? 

3. Bob picks a challenge c e {0, 1} at random, and sands it to Alice: 

4. Alice sends Bob the responses 

r ^_ u + c (p-l)/2, s <~v + c(q-1)/2; 

5. Bob verifies (rejects proof if any verification fails): 

5.1 £(r) < [£(n)/2] + 2, Z{s) < [£(n)/2j + 2; 

5 ., B( .-n, E { * c-o _ 111 : 

where .ffj/ 1 and mean that the two exponents take opposite signs. 

We should point out that requiring Bob to choose h with the Jacobi symbol -1 is 
only for conciseness in the protocol specification. Evaluation of the Jacobi symbol can 
be omitted. Then what is in addition fox Bob to check is that in the k iterations, he 
must demand to see in step 5-4 at least one occasion of H v , and one occasion 

of Hu X Hv. A simplification can be as follows. Bob begins with choosing h with the 
Jacobi symbol -1, and then stops evaluation of the Jacobi symbol once be bas seen both 
of the two occasions. He will have a high probability to see the both occasions within 
first few iterations, since the probability of keeping on seeing one occasion diminishes 
exponentially fast. This point will become clear after the proof of Theorem 2. 
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Although we have required Alice to choose p and q satisfying t{p) = or £(p) i - 
± 1, a more relaxed size difference can be accommodated For each ^ added brt 
difference, the two size checking inequalities in the protocol step 5-1 should be adjusted 
according such that 1 is added to the right-band sides of the two inequabues m 5.1. 
Later we shall farther see that (in the proof of the soundness of the protocol (Section 
3 2)) * bigger size difference requires to increase the number of trial divisxon to guard 
against n containing small factors. 

Usinr a cryptographically secure hash function to generate the challenge bits, the 
protocol can be modified into parallel version which can save the communication cost. 



3. Analyses 

We analyze the security and the performance of the protocol. The security consists of 
the completeness, soundness, and privacy. 

3.1 Completeness 

Theorem 1 Suppose Alice has input the correct values (as specified) into the protocol. 

Then Bob will always accept Alice'js proof in each iteration. 

Proof We show that Bob will be satisfied by his verification steps in 5.1 through 5.4. 

In 5 1 we note that u has been chosen to satisfy £(u) = i((p- l)/2). So either r = « 
or T = u + (p _ i)/2 -will yield (noting (p - l)/2 is an integer) 

£(r) < £((p - D/2) + 1 = Up) < mn)/2\ + 2. 

(When £{p) = £(q), the right-hand-side of the inequality can use [i{n)/2] + 1.) 

Analogously, £{s) < [l(n)/2\ + 2. So the verification in 5.1 will pass. 

In the following, we assume the case of challenge c = 1- The case c = 0 renders the 
congruences in 5.2 to 5.4 to hold trivially. 

In 5.2, with noting log fl (-A) = p and the structures of G a and r, it is easy to see 
that the first congruence will hold. Holding of the second congruence is smular, with an 
attention that B p = ^ g" = 1 (mod P). So both congruences in 5.2 will hold. 

Analogously, both congruences in 5.3 will hold. 

To see the congruences in 5.4, observe 

The first congruence in (1) is due to Ord F {B) = p | n. Then, since p is prime, the second 
congruence in (1) follows the Euler's criterion. Therefore, the first congruence in 5.4 is 
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^{h-mod n) = B lK*+*P-™* mod n) 

= (JS^ aCf " x>/ * 111011 n ^)^ tl rao * n ^ 

s (£±1)(A W mod n) 
— mod n)jil 

= ^ 1 (lDOd P). 

Indeed, Bob will accept this congruence. 

Analogously, the second congruence in 5.4 will hold- 
Finally, we note that (l) actually evaluates the Jacobi symbol Since Bob has 

chosen h satisfying 

. the exponents of and Hg 1 must take opposite signs* n 

3.2 Soundness 

We begin with emphasising that all the numbers and variables to appear in this section 
are non-negative integers. In particular, log 9 {A) and log ? (f^denote the least positive 
integers x and y less than Ordp{g) satisfying A == g* and B = g v * 

Lemma 2 When Bob accepts a proof on the values input to Two^Prime-Product, he 

accepts 

i) log,(A). < 2W*W a J +s , log s (J5) < 2W B ^«, 

ii; log g {A) = aOrd P {B), log 5 (B) = &Ord P (A) u/fcer* a < 64 and ft < 64, 
with probability > 1 - 1/2* where k is the number of iterations in the protocol. 
Proof 

For clarity, we denote x = Ord F (B), y = Ord r {A). Since A and are generated 

from ^ of order n (recall Lemma 1, Ord P {g) = n holds with probability 1 "'"j^T" )' 

we have 

x | n, y 1 7i. 

The verification of the first congruence in 5.2 forms a standard proof of knowledge on 
. that Alice knows log,^), and the second congruence further shows 

B u>z,(A) = i( rao dP). ( 3 ) 
Analogously, 5.3 forms the verification of proof on Alice knowing log 5 (B) and 

^iog 5 (iJ) = i( m odP). (4) 



Received 08-02-99 1 7 : 1 Z 



From-44 117 922 8941 



To-THE PATENT OFFICE 



Page 10 




The congruences (3) and (4) imply 

x\ log s (A), y\ log ff (B), 

So we can write 

log 9 CA) = ai, log^S) = 61/ (5) 

for some integers a and 6. 

In protocol step 6.1. Bob has checked that for both challenge cases, the responses r 

and * satisfy x , . . . . 

£{t) < l£{n)/2] + 2, £(s) < [£{n)/2j + 2. 

Since £(\o S! ,[A)) < £(2r) and *(log,(J?)) < *( 2 *)> BO 

l^oBgiA)) £ L*(")/ 2 J + 3 > *0°g s (-B)) < L*(n)/2J + 3, 
or (we have proved the claim (i)) 

log^A) < log,(B)£2W»>/»-H*. (6) 

Combining this with (5), we have 

a*&y = log fl (A)log 9 (2?)<2«»> + °, 

_ OT afey <_64n. ( 7 ) 

Applying the following number theoretic fact (with t in a cyclic group) 

Ord(i*) = Ord(t)/(Ord{t),k),. 
with noticing x - Ord^B), B = j*™, OrcMs) *= n, log, (I?) = by, we can derive 

x = n/(n, by). 

Noticing (2), y is a factor of r», so (n, &y) - Vy for some f < b. Thus we have reached 

b'xy — n. (8) 
Placing this result and V < 6 into (7), we derive 

ah < 646' < 646. - 

So a < 64 By symmetry we can also show 6 < 64. These plus (5) form claim (ii). (The 
jiiequ'alities in (6) have proved claim (i).) Clearly, if any of the claims is not true, then m 
each iteration Alice will have at most 1/2 probability to correctly answer Bob s random 
challenge. Therefore the claims hold with the probability 1 - 1/2* after k iterations of 
acceptance. 

Theorem 2 Let n be a non-square integer, be free of factors up to 100, and be accepted 
by a proof running Two_Prime_Product. Then with probability > 1 - 1/2* 

8 
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i) \og a {A) and\og g {B) are different odd primes, 

ii) n = log s (>l)log,(B), 

where k is the number of iterations in TwoJ'rime.Product. 

Proof . 

We shall use the following notations defined in the proof of Lemma 2: x = Ordp{B), 
y = Ordp(A), ax = log fl (A), ay =-= log 9 (S). 

Bob's verification of the two congruences in 5.4 (combined with the verification in 
5.2 and 5.3) stow him that (when c = l) 

,)/a ™«J ») = B ±l (rood P), ( 9 ) 

md ^-O/'modaJ^^l^odP). (10) 

for h relatively prime to n with the Jacobi symbol -1. Noticing (4), x | n and y \ n, the 
congruences (9) and (10) imply that for such h, 

h {**-i)/2 s±1 ( ro od a;) C 11 ) 

These results allow us to apply a variation of Solovay-Strassen primality test tech- 
nique [9] to prove the theorem. Define H* as the following set 

H x = {h& Z* x \ (h,x) = 1 & h^-W = ±1 (mod x) & o is an integer }- 

Obviously, for any a, H x is a subgroup of Z' x (at least it contains 1), and we know 
H ™Z- from Euler's criterion when a = 1 and x is prime. We shall prove on i^e other 
hand that if o ^ 1, or if x is composite, then % will be a proper subgroup of Z x . This 
r"derttkT< W and thus randomly picking. € * as Bob did m each aterat.on 
in the protocol, the probability for h mod x to fall m H x cannot exceed 1/2- 

There are several cases need to be reasoned. We shall reason all the cases of * Wer 
a * 1. The cases under a = 1 can be analogously reasoned by following the cases we 
reason below. 

Suppose o # 1. There are three sub-cases for x. 
Case 1: x is prime- Then (11) implies 

h ax-l - i ( m od i), 

for h not divisible by x. Since Z' is of order x - 1 < ax - 1 (a > l) we have x - 1 1 ax - 1. 
So there exists an integer d such that d(x - 1) = ax - 1, or x = 1 + (a - l)/(d - a), in 
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Lemma 2 we have proved a < 64. So x < 64. Prom the hypothesis of the theorem such 
x cannot be a factor n. So when a ^ I, x must be composite. 

Case 2: z = with r being prime and d > 1. In the group .there easts an element 
e of the fuU order (r - ljr*- 1 - This e cannot be in H x since otherwise (11) will imply 

— (mod t*),- 



(r - l)^- 1 1 or" - 1. 



yielding 
So there exists A satisfying 

or* - A(r - Dr"- 1 - 1. 
This means {r - l)^*" 1 is relatively prime to r rf , Impossible with 4 > 1- Thus, for this 
case must be a proper subset of 

Case 3: The only remaining possibility for x being composite renders a non-trivial 
factorization x = & with ij) = 1- We claim that, either is a proper subset of Z x 
(and we have done), or H x = Z\ will only contain elements satisfying 

fcC«-l)/2 = i (mod x). ( 12 ) 

SuDDOSe i2* = 2"; while (12) is not true. There exists an element e e H s = Z£ with 
aJZ-W = _! ( mo dx). Since £ and 77 are relatively prime, by the Chinese remainder 
theorem, the system c s 1 (mod 0 , * » • (mod „) has a solution / G ^. Obviously, 
f {ox-im = i ( mo d f), /(«-D/a = _i (mod 77) , 

^ /I— «/»#±l(mod*). 

So / e 2£ \ contradiction to H x = Z*. 

So now we have to consider H x - Z' x with holding of the condition (12). That will 
cause Bob to see in a proof that, when the challenge is c = 1. the right-hand side of the 
first congruence in 5.4 will always take the positive exponent, and hence, tfxat _ of the 
second congruence will always take the negative (-1) exponent. This means that Case 
3 will not apply to both * and y. So when * is in Case 3, y can only be in the form 
tf H with r prime and d > 1. We first consider b * 1 {by = log 9 (i?), defined m (5) xn 
Lemma 2) Then (by symmetry) either y will be a prime factor of n satisfying y < 64 
(Case 1) which has been excluded by the hypothesis of the theorem, or H y potion 
of H v follows that of H, by symmetry) will be a proper subset of 2T y (Case 2) which 
will cause Bob to reject each iteration with at least 1/2 probability. Finally we consider 
T= 1. Then there are only exactly half of elements in Z; (= Ztf which are quadratic 
non-residue modulo y satisfying 
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So in each iteration the probability for Bob to pick an h with h mod y satisfying (13) 

i5 only 1/2. 

To this end we have proved all the cases of x under a * 1. The remaining, cases 
under « = 1 can be analogously proved. The proofs are very similar to those above, 
except that Case 1 is.no longer needed. 

By symmetry, we know b - 1 and y is prime. Since a = b = 1 and in (8) V < b = 1, 
we have finally proved 

logj {A) logj (13) = xy = n. 
The two primes are different since n is not a square number. 
We have fully proved the theorem. 

Discussions 

We have seen in the proofe in Lemma 2 and in Theorem 2 that the size difference 
between the two prime factors of n can be set to a desirable scope. The bigger the 
difference of their sizes, the more work (e.g., trial division) is needed to guard against 
Containing trivially, small factors as in Case 1. In the specified protocol, we have 
allowed for the size difference to be 1 bit. 

In Section 2.2 we mentioned that Bob can stop evaluation of the Jacobi symbols once 
he has seen both occasion* of H Ut and H d \ H v in protocol step 5 : 4 The reason 

for this now becomes clear: an appearance of a negative exponent (one show enough) 
shows the impossibility of Case 3 for the respective factor of n. 

3.3 Privacy 

Theorem 3 Assume the computational infeasibility of computing discrete logarithms to 
the base g, of factoring n, and of determining (|) for x being a { a ^ 0 f n ^f^uct 
Then on inputingn-pq withp and q being odd primes, the proW TwoJ>nmc_Product 
ie perfect computational zero-knowledge. 
Proof 

First, we note that in protocol step 2, Alice picks two random numbers u and t, with 
£(u) = £((p - l)/2) and *(*) = £{{q - l)/2). Since p and q are odd, it is clear that for 
the challenge case c = 1, the responses do not disclose any information about p and q. 

Now on the input tuple ( 9l A, B, n, P), each iteration in a protocol run can be sim- 
ulated perfectly by a simulator in polynomial time. The simulator pxeks the 
values at uniformly random (which means it picks h and c exactly as Bob does, and 
picks T and s exactly as Alice picks u and v): 

h€Z* satisfying (£) = -1; . 
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c e {0, 1}; if c = 1 then further picks d € {1, -1}; 

T s With 1{T) = t{a) or i(r) = *(») ± 1 satisfying that £{r) < \i{n)/2\ + % 
4(«)<l*(«)/2j+2. 

Using these random values, he then computes the following values to construct a 
simulated view. 
For c = 0: 

G V <- J 2 *" mod P, Cy <- 5 2J mod P = 

jj-j, <_ B( h ' ™* »> mod P, i?y <- A**' mod n) mod p \ 

For c = 1: 

(3^ «_ g^/A mod P, Gv «- 9 2e+l / B mod p » 

<_ ™» »))< mod P, H v <- {A& m0d mod 

Under the hypotheses of the theorem, the values G Ut G v Hu, Hv will have ^ exactly 
the ^distribution as those m a true proof interaction. Therefore, the simulation » 
perfect. Consequently, Bob gains no additional information about p and q other then 
from n. (We point out that since g is a quadratic residue, so for both cases of c, aU 
values computed above are quadratic residues modulo P.) 

3.4 Performance 

Compared with the previous approaches of applying proofs of Blum, square-frej ^d 
showing factor sizes, the new protocol saved the need of agreeing mutually trusted 
challenges, and saved the additional cost on showing factor sizes. 

Since it is generally accepted that Solovay-Strassen primality test (SSPT) on a non- 
B ecret number is very efficient (though Miller-Rabin will be more effioent). ^ 
make a precise performance comparison between our protocol and SSPT. We consider 
k iterations in our protocol and in an instance of performing S5FT. 

First we shall not consider the cost for Alice to setup n since it is irrelevant to the 
cost of tne proof protocol. Thus, the system 5 etting-up involves one pramabty test on 
F (by both Alice and Bob), and fixing the element g (by Bob). Note tbat P is non- 
fJSh because P - 1 contains « as a factor. So almost all elements in ^ satisfy the 
requirements of g. Thus, the cost of this part is roughly that of the pnmahty test on 
P The test can use Solovky-Straasen. By the prime number theorem, the size of r can 
be bounded above by log^n) + log 2 (log 2 (n)). 
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Recall that we have ported out that in the real use of our protocol, Bob wm only 
need to evaluate very few Jacobi symbols (reason given In the ooscuwion at the end of 
Section 3.2). SSPT needs to evaluate 2k Jacobi symbols. Nevertheless evaluation of 

Jacobi symbols are very efficient compared with the modulo e^nentiations; so we 
shall omit this part of the comparison. 

Next, checking of the sizes of the responses in our protocol step 5.1 takes trivial 
computation. So we shall omit counting that cost too. 

Now observe that in our protocol,, in each iteration, Alice and Bob computes the 
same number of modulo exponentiations: six exponentiations modulo P, and two ol 
them modulo n. Considering £[P) « *(n) - 2£(p), together these convert to 16 expo- 
nentiations modulo p. This is the real computational cost of our protocol. 

In each iteration of SSPT testing the primality of opened p and 9> two exponentiations 
modulo v are required. Thus, in comparison of the numbers of modulo exponentiations 
rSShtfS thTSme size, the performance of our protocol counts for that ofruxmmg 
eight instances of SSPT. Further adding the primality test on P by both parties with 
g{P) 2E{p), we conclude the following theorem. 

Theorem 4 The whole cojnputational cost far demonstrating n being the product of two 
vrimes of roughly equal sizes using protocol Two.Prime_Prodoct is at the same level of 
lZ7o7 m t 9 12 Penality tests using SSPT on non-oecret nu^ers of site eoual to /(»)/£ 
or equivalency, 6 such tests on non-secret numbers of 9tze £[n). 

In terms of the bit operations, probabilistic testing of primality of P counts for 
Oik logof-P)) operations. Considering log 2 (P) « log 2 n + log 2 log, n the computational 
cost of tne protocol can be measured by 0(*(log 2 7* + log 2 lbg a n)) bit operations. 

We should point out that in this estimate we have added the computations of Alice 
and Bob. If a standard paralleli*ation proof technique is used (using a cryptographically 
secure hash function to generate challenges), then a proof can be viewed as > » cate 
forThe structure of n. In that case, the cost of a verification will only count half of that 
given by Theorem 4. 

To the author's knowledge, this result is better than those of all known previous 
protocols that can prove the structure of n being the product of exactly two primes 
^ith structure being congruent to 3 modulo 4, yet without showing their sizes. We 
therefore believe that the cost of the proposed protocol reaches a new low. 

4 Conclusion 

We have constructed an efficient proof of knowledge protocol for demonstrating that an 
iBteger is the.product of two prime factors of roughly equal sizes. The proposed protocol 
is the first of its kind to prove such a structure with an efficiency comparable to that of 
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a Monte-Carlo method for primality test on non-secret numbers of compaxable B^es It 
* also the first of its kind to prove such a structure without Irmrbng to Blum integers. 
An open..problem is to further demonstrate efficiently the structure of p±l v* 
Such a demonstration will show farther strengths of n against a number of 



n = pq 

known factoring algorithms 



[3] 
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CLAIMS 

(30990020). . 




1 . A method for proving to a verifier that an integer n, supplied to the verifier by a prover, is an 
authentic RSA modulus, by proving that n is The product of exactly two different odd prime numbers 

5 of similar sizes, the method not being limited to n being a Blum integer and comprising the prover 
showing the verifier Solovay-Strassen primality evidence in a zero-knowledge proof. 

2. A method according to claim 1. comprising an iterative process of challenge-response interaction 
between the prover and the verifier, wherein, a challenge is chosen at random solely by the verifier, 

10 and, for a number of iterations k, the number of bit operations needed to prove that n is an authentic 
RSA modulus is 0(k(lo&(n) + logjOogaCn)))) with a probability of error being 



Received 08-02-99 17:12 From-44 117 922 6941 



To-THE PATENT OFFICE Page 19 



